raccoon

General

Target

57C9479F9B4B3A71A8AF9F8BFB7DDA53.exe
Size

4.6MB
Sample

210811-778226d3le
MD5

57c9479f9b4b3a71a8af9f8bfb7dda53
SHA1

789dad79552581e4b24cb0b57d36aba44200041d
SHA256

c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c
SHA512

1814f3ea07929ae2ee522d13812fd434ce526e27ae44a272e44d80d2712179db147250c942bf02714d912794e96aa40f1526d5163e2f8d1133d64a89dae834c5

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

39.9

Botnet

706

C2

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

7new

C2

sytareliar.xyz:80

yabelesatg.xyz:80

ceneimarck.xyz:80

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

rc4.i32

Extracted

Family

vidar

Version

40

Botnet

916

C2

https://lenak513.tumblr.com/

Attributes

profile_id
916

Extracted

Family

raccoon

Botnet

39b871ed120e56ecbdc546b8a8a78c4e5516bc1f

Attributes

url4cnc
https://telete.in/uiopoppiscess

rc4.plain

Targets

- Target
  
  57C9479F9B4B3A71A8AF9F8BFB7DDA53.exe
- Size
  
  4.6MB
- MD5
  
  57c9479f9b4b3a71a8af9f8bfb7dda53
- SHA1
  
  789dad79552581e4b24cb0b57d36aba44200041d
- SHA256
  
  c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c
- SHA512
  
  1814f3ea07929ae2ee522d13812fd434ce526e27ae44a272e44d80d2712179db147250c942bf02714d912794e96aa40f1526d5163e2f8d1133d64a89dae834c5
Score

10^/10

redline socelars vidar 706 aspackv2 infostealer stealer suricata raccoon smokeloader 39b871ed120e56ecbdc546b8a8a78c4e5516bc1f 7new 916 backdoor persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- Raccoon Stealer Payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
  suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2